Squidex before 7.9.0 allows XSS via an SVG document to the Upload Assets feature. This occurs because there is an incomplete blacklist in the SVG inspection, allowing JavaScript in the SRC attribute of an IFRAME element. An authenticated attack with assets.create permission is required for exploitation.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2023-12-07T00:00:00
Updated: 2024-08-02T20:53:21.945Z
Reserved: 2023-10-28T00:00:00
Link: CVE-2023-46857
Vulnrichment
No data.
NVD
Status : Modified
Published: 2023-12-07T06:15:54.740
Modified: 2024-11-21T08:29:26.160
Link: CVE-2023-46857
Redhat
No data.